Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through 3.7.1.
Published: 2026-04-15
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: SQL Injection
Action: Patch Upgrade
AI Analysis

Impact

The vulnerability lies in improper neutralization of special characters within an SQL statement, enabling an attacker to inject malicious code. This flaw permits unauthorized manipulation of the database, potentially allowing the adversary to read, alter, or delete sensitive data. The weakness is classified as an input validation flaw that compromises database integrity and confidentiality.

Affected Systems

The issue affects the WC Lovers WCFM Marketplace WordPress plugin for all versions up to and including 3.7.1. Users operating the plugin within this version range are at risk.

Risk and Exploitability

The CVSS score of 7.6 reflects a high severity condition, indicating a significant threat if exploited. At present, the EPSS score is not disclosed, suggesting no publicly available metrics. Since the vulnerability is not listed in the CISA KEV catalog, no confirmed exploits are noted in that database. The likely attack vector is a web‑based request that passes unfiltered input to the database, and it requires the attacker to have a way to supply crafted payloads via the affected plugin’s exposed interfaces. If successful, the attacker could gain unauthorized database access, leading to data breach or alteration.

Generated by OpenCVE AI on April 15, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WCFM Marketplace 3.7.2 or later
  • Configure the WordPress database user with the least privileges necessary for the application to operate
  • Implement comprehensive input validation and prepared statements in the plugin’s database interactions

Generated by OpenCVE AI on April 15, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Wclovers
Wclovers wcfm Marketplace
Wordpress
Wordpress wordpress
Vendors & Products Wclovers
Wclovers wcfm Marketplace
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through 3.7.1.
Title WordPress WCFM Marketplace plugin <= 3.7.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wclovers Wcfm Marketplace
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-15T17:16:01.919Z

Reserved: 2025-10-24T14:25:44.113Z

Link: CVE-2025-63029

cve-icon Vulnrichment

Updated: 2026-04-15T17:13:01.798Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:00.613

Modified: 2026-04-15T17:17:00.613

Link: CVE-2025-63029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses